[solved] ZM server with two IP addresses?

Forum for questions and support relating to the 1.34.x releases only.
Post Reply
DonZalmrol
Posts: 19
Joined: Wed Jun 24, 2020 8:21 am

[solved] ZM server with two IP addresses?

Post by DonZalmrol »

Hi,

I've set up a new dedicated server (an old Dell R310) using Debian 10 and I've configured the two NICS with each its own static IP.
ENO1 is in my server VLAN for accessing the ZM webinterface, SSH, etc...
ENO2 is in my camera VLAN for directly accessing the IP cams

How can I make sure that:
1. ENO1 is solely used for the management part
2. ENO2 is solely used for accessing the cams

When I do a netstat, I see that the cams are indeed going over ENO2, unfortunately my management is also going over ENO2 instead of ENO1.
Other option is using bond the two nics and forgetting about splitting the traffic.
Last edited by DonZalmrol on Sun Nov 22, 2020 9:27 am, edited 1 time in total.
User avatar
Andyrh
Posts: 243
Joined: Sat Oct 28, 2017 3:55 am

Re: ZM server with two IP addresses?

Post by Andyrh »

To segregate the traffic and ensure you are using the NICs as intended you must use different subnets.
On an managed switch create VLANs and use different subnets. On an unmanaged switch simply use different subnets. The result is effectively the same but there are differences.

For example:
ENO1 - IP:10.1.1.10 GW 10.1.1.1 Mask 255.255.255.0 -- This is the same subnet as your management and other systems are on.
EN02 - IP:192.168.1.10 GW (blank) Mask 255.255.255.0 -- This is the same subnet as your cameras.
Assuming no router to connect the 2 subnets only systems on the 192 subnet can talk to the cameras.

A side effect of not allowing the cameras a route to the internet is they are frequently targets for hackers. This will provide protection.

Out of curiosity, why did you choose to segregate the cameras?
Andy
o||||o

Ubuntu 22.04
ZM 1.36.33
E5-1650-v4 Xeon
16 GB RAM
6 cameras -> 54 FPS modect
DonZalmrol
Posts: 19
Joined: Wed Jun 24, 2020 8:21 am

Re: ZM server with two IP addresses?

Post by DonZalmrol »

Seems I've made a stupid mistake.
When I created a DNS address in my domain, I've pointed it to my ENO2 static IP that is used for the CAM VLAN, instead of pointing it to the static IP of ENO1 on my MAN VLAN...

The main reason was for additional security as I tend to tighten up the FW rules for my CAM VLAN.
User avatar
burger
Posts: 390
Joined: Mon May 11, 2020 4:32 pm

Re: [solved] ZM server with two IP addresses?

Post by burger »

It's very easy to have two ip addresses, if you physically separate the networks.

firewall 1 (cameras only, no internet)
firewall 2 (internet, no cameras)

And two ethernet ports (add a network card if needed) on the ZM server for each separately wired network.

VLANs with one firewall are another option, but require more configuration. Follow the keep it simple philosophy, and stick with two physical networks. One has internet access, the other does not. The one without WAN access will only do DHCP. Done.
fastest way to test streams:
ffmpeg -i rtsp://<user>:<pass>@<ipaddress>:554/path ./output.mp4 (if terminal only)
ffplay rtsp://<user>:<pass>@<ipaddress>:554/path (gui)
find paths on ispydb or in zm hcl

If you are new to security software, read:
https://wiki.zoneminder.com/Dummies_Guide
bbunge
Posts: 2930
Joined: Mon Mar 26, 2012 11:40 am
Location: Pennsylvania

Re: [solved] ZM server with two IP addresses?

Post by bbunge »

Not sure if I understand just what you want to do with the different LAN cards. We do have a couple of setups that use two subnets on a common un-managed LAN.
We actually use one LAN card with a static IP address and a virtual IP address. To give an example: the ZM server has an IP address of 192.168.1.100 with a subnet 255.255.255.0 and gateway 192.168.1.1. The assigned virtual IP address is 192.168.100.100 with a subnet of 255.255.255.0. All the cameras have static IP addresses assigned in the 192.168.100.0/24 range. Traffic travels over the same LAN wiring/WIFI but the cameras are not visible from other devices on the 192.168.1.0/24 subnet except the ZM server. Therefore the ZM server is accessed to view monitors/manage from the 192.168.1.0/24 subnet.
User avatar
Andyrh
Posts: 243
Joined: Sat Oct 28, 2017 3:55 am

Re: [solved] ZM server with two IP addresses?

Post by Andyrh »

bbunge what you are describing is an inexpensive way to keep the cameras off the internet assuming you do not assign a default GW to anything with an 192.168.100.0/24 address and there is not router for 192.168.100.0/24 and also hiding them from normal viewing.

However you are not preventing anything on your LAN from talking to the cameras, you are only hiding them. If your intention is to hide the cameras and keep them on the LAN I think you have achieved that goal. If you want to really isolate them, that requires either a 2nd unmanaged switch or a managed switch with VLANs.
Andy
o||||o

Ubuntu 22.04
ZM 1.36.33
E5-1650-v4 Xeon
16 GB RAM
6 cameras -> 54 FPS modect
User avatar
tylers04s
Posts: 1
Joined: Fri Mar 17, 2023 1:53 pm
Location: San Francisco

Re: [solved] ZM server with two IP addresses?

Post by tylers04s »

It's great to see that you're setting up a new dedicated server with two NICs and separate static IPs for management and camera VLANs. It sounds like you're on the right track and taking some good steps to ensure that your network is set up properly.
User avatar
yadirasmanns
Posts: 1
Joined: Sat Mar 18, 2023 10:12 am
Location: Kansas City

Re: [solved] ZM server with two IP addresses?

Post by yadirasmanns »

To ensure that ENO1 is solely used for management and ENO2 is solely used for accessing the cameras, you can use some basic networking tools to set up routing rules. For example, you can use the 'route' command to add specific routes for each NIC. This way, traffic intended for management will be sent through ENO1, and traffic intended for camera access will be sent through ENO2. If you need more information on router IP addresses, I'd recommend checking out routeripnet.com for some helpful resources. Alternatively, you could consider using bonding to combine the two NICs into a single logical interface.
Post Reply